E-mail authentication

ABSTRACT

A system and method for determining whether an e-mail originates from a sender authorized by an address provider to send the e-mail to an intended recipient&#39;s e-mail address. The e-mail identifies an address provider from which the intended recipient&#39;s e-mail address was obtained. The e-mail is delivered to the intended recipient only upon verification that the sender is authorized by the address provider to obtain the intended recipient&#39;s e-mail address. The system and method may also provide for determining whether an e-mail originates from a forged source. A server receives data relating to an e-mail, including a purported sender and a verification host. The server queries the verification host with information pertaining to the e-mail and requests confirmation that the e-mail originates from the purported sender. The e-mail is determined to originate from a forged source unless the verification host responds that the e-mail originates from the purported sender.

BACKGROUND

1. Field

The present application relates to systems and methods forauthenticating electronic communications that are transmitted throughcomputer networks, and more particularly, to authenticating e-mailsprior to delivery to the intended recipient.

2. Description of Related Art

Unsolicited, unwanted commercial e-mail messages, known commonly as“spam”, comprise an increasing volume of e-mail traffic worldwide. Atthe same time, many consumers want to receive some unsolicitedcommercial e-mail relating to selected areas of interest. Such e-mailmay include, for example, special offers, news or price reductions, newsabout new product releases, receipts of completed transactions, shippingnotices, or other information of interest. Although various methods havebeen developed to block or filter spam before it reaches its intendedrecipients, a problem persists in determining exactly where to draw theline between unwanted spam and desirable commercial e-mail.

The need to distinguish between spam and legitimate commercial e-mail isespecially important today, as more and more people rely on the Internetto conduct financial transactions and to make online purchases through avariety of commercial web sites. E-mails relating to these transactions,or e-mails from other authorized commercial sources, may bemisclassified as spam and blocked from delivery to the intendedrecipients. Thus, spam blockers and filters may suffer from being eitherunder inclusive or over inclusive as to the e-mails which are blocked asspam. In the first instance, the e-mail recipient may continue toreceive a volume of spam e-mail, rendering the spam filter useless. Inthe second instance, however, the e-mail recipient may not receivelegitimate e-mails which are misclassified as spam by virtue of theircommercial nature.

Many spam blockers and filters have attempted to solve this problem bycreating a targeted list of e-mail or IP addresses that are known to beused by senders of unwanted messages. These are known as “blacklists”and aid in blocking messages from the listed addresses. Blacklisting,however, can be readily evaded by the simple expedient of altering thesender's e-mail address. In addition, spammers may forge informationcontained in the e-mail, so that spam appears to originate from alegitimate source. Furthermore, spammers have increasingly sought tocompromise the security of consumer and business computers to send spamfrom an enormous variety of IP addresses. Thus, targeted approaches thatattempt to filter out spam based on its source are not as effective asdesired.

Moreover, there is a need to distinguish between fraudulent andlegitimate commercial e-mails. Fraudulent e-mail includes those in whichthe e-mail is forged or altered to appear to have originated from asource other than its actual source. There are no safeguards in normalSimple Mail Transfer Protocol (SMTP) to prevent such e-mails from beingsent. Thus, spammers can send e-mails which purport to originate fromsenders that the intended recipient would ordinarily trust. Thispractice also allows spammers to avoid receiving non-deliverynotifications (bounces) to their real addresses, fraudsters to covertheir tracks and remain anonymous and phishers (password fishers) toimpersonate well-known, trusted identities in order to steal passwordsor other sensitive, personal information from users.

Various approaches have been proposed to prevent sender address forgery.One approach is Sender Policy Framework (SPF), an extension to SMTPwhich allows software to identify and reject forged addresses in theenvelope sender address, e.g., SMTP MAIL FROM (Return-Path). SPF allowsthe owner of an Internet domain to use a special format of DNS TXTrecords to specify which hosts are authorized to transmit e-mails for agiven domain. Thus, a receiving mail server performs a check todetermine whether the e-mail comes from an authorized host. Typically,such checks are done by the receiving mail transfer agent, but can beperformed elsewhere in the mail processing chain so long as the requiredinformation is available and reliable. SPF is further defined in RFC4408.

One significant benefit of SPF is to those whose e-mail addresses areforged in the Return-Paths. They receive a large mass of unsolicitederror messages and other auto-replies, making it difficult to use e-mailnormally. If such people use SPF to specify their legitimate sending IPswith a FAIL result for all other IPs, then receivers checking SPF canreject forgeries, reducing the amount of back-scatter.

The SPF method, however, may be subject to certain vulnerabilitiesbecause it depends on the reliability of the DNS TXT records identifyingauthorized hosts and on the security of authorized hosts. Moreover, SPFnormally only validates the domain of the envelope sender (in theReturn-Path). Thus, domains that share mail senders (e.g. with virtualhosting) can forge each others' domain and SPF does not validate that agiven e-mail actually comes from the claimed user, because it operatesat the network level.

It would be therefore desirable to overcome these and other limitationsof the prior art. Systems and methods are needed, which can distinguishbetween spam and legitimate commercial e-mail and, in certainembodiments, more effectively determine whether an e-mail originatesfrom a forged source.

SUMMARY

The invention provides a system and method for determining whether ane-mail originates from an authorized sender. An authorized sender refersgenerally to one who obtains e-mail addresses from, and is authorizedby, an address provider to send e-mails to one or more intendedrecipients. The address provider is thus a source of e-mail addresses,which the address provider may have obtained through a variety ofmethods. For example, an address provider may maintain a website whichallows users to register their e-mail addresses for the purpose ofreceiving e-mails and also for the purpose of authorizing furtherdistribution of their e-mail addresses to authorized senders. Manycommercial sites currently operate in this manner, obtaining acustomer's or subscriber's consent for receiving e-mails when a new userregisters with the site. Such sites may therefore be “address providers”authorized to provide a recipient's e-mail address to authorizedsenders, optionally subject to limitations imposed by the recipient.Also optionally, the address provider may have an existing relationshipwith the recipient, for example, the recipient may be a past customer ofthe address provider. Thus, the address provider may be motivated toavoid authorizing excessive e-mail to the recipient, to avoidantagonizing the recipient or risking loss of a customer.

In accordance with the methods and systems disclosed herein, e-mailsthat are transmitted by an authorized sender may include informationidentifying the sender, the intended recipient, and the address providerfrom which the sender obtained the intended recipient's e-mail address.The e-mail may then be delivered to the intended recipient only afterthe address provider or an authentication server verifies that thesender was authorized by the address provider to send e-mails to theintended recipient.

In an embodiment of the invention, a method is provided for determiningwhether an e-mail to an intended recipient originates from an authorizedsender. The method comprises receiving an e-mail directed to an intendedrecipient's e-mail address, wherein the e-mail includes informationidentifying a sender and an address provider from which the senderobtained the intended recipient's e-mail address; querying anauthentication server to verify whether the sender is authorized by theaddress provider to send the e-mail to the intended recipient; andreceiving a response from the authentication server. These method stepsmay be performed by a mail server for the intended recipient, a mailserver for the sender, a network server, or by software residing on theclient computer.

The e-mail may be delivered to the intended recipient if the responseindicates that the sender is authorized by the address provider to sendthe e-mail to the intended recipient. The e-mail is not delivered,discarded, marked as spam, or segregated as spam if the responseindicates that the sender is not authorized by the address provider tosend the e-mail to the intended recipient.

The authentication server may be provided directly by the addressprovider or by a third party that is associated with the addressprovider and one or more different address providers. The addressprovider refers generally to the source from which the sender obtainedthe intended recipient's e-mail address. Accordingly, in instances wherethe sender obtains e-mail addresses directly from the intendedrecipients, the sender is also the address provider. In instances wherethe sender obtains e-mail addresses from another party, the sender andthe address provider are two different entities. In both instances, thesender is authorized by the intended recipient, either directly orindirectly through an address provider, to direct e-mail to therecipient.

In accordance with one embodiment, the authentication server may beprovided directly by the address provider. In an aspect of thisembodiment, the authentication server accesses a database comprising afirst list of client e-mail addresses and determines whether theintended recipient's e-mail address is on the first list of cliente-mail addresses. If the intended recipient's e-mail address is on thefirst list of client e-mail addresses, the address provider issues aresponse indicating that the sender is an authorized sender. On theother hand, if the intended recipient's e-mail address is not on thefirst list of client e-mail addresses, the address provider issues aresponse indicating that the sender is not an authorized.

In another aspect of this embodiment, the authentication server accessesa database comprising a second list of approved senders. Theauthentication server determines whether the sender is on the secondlist of approved senders. If the sender is on the second list ofapproved senders, the authentication server issues a response indicatingthat the sender is an authorized sender. On the other hand, if thesender is not on the second list of approved senders, the authenticationserver issues a response indicating that the sender is not an authorizedsender.

In accordance with another embodiment, the authentication server may beprovided by a third party that is associated with the address providerand one or more different address providers. In accordance with thisembodiment, the authentication server may first select and access thedatabases that are associated with the address provider identified inthe e-mail. Again, the database may comprise a first list of cliente-mail addresses, a second list of approved senders, or both first andsecond lists. The authentication server then determines if the intendedrecipient is identified on the first list of client e-mail addresses, ifthe sender is identified on the second list of approved senders, orboth. Once the authentication server makes this determination, asuitable response is issued by the authentication server

There are advantages to having the address source identified in thee-mail. The identity of the address provider is no longer hidden. Thus,it allows e-mail recipients to monitor an address provider'sdistribution of their e-mail address to other parties and to policeagainst any uncontrolled or unauthorized distribution of their e-mailaddress. For example, a user may have registered his e-mail with anaddress provider and authorized the distribution of his e-mail addressto a specific group of senders or other predefined scope, such assubject matter or interest groups. Thus, if the user receives e-mailswhich are outside the user's predefined scope, the user will be able toidentify the source of such e-mails. This, in turn, will also encouragethe address provider to distribute e-mail addresses more responsibly orrisk losing its customers or clients.

E-mails may be altered or forged to appear as if they originate from anauthorized sender or other legitimate source. This may be accomplishedin a number of ways, such as changing the “FROM” e-mail header toidentify an authorized sender or other legitimate source instead of theactual source. It may therefore be desirable to perform additional stepsof authenticating that the e-mail actually originates from the sender orsource identified in the e-mail, preferably before delivering the e-mailto the intended recipient.

Thus, in another embodiment of the invention, a method is provided fordetermining whether at least one e-mail originates from a forged source.In accordance with this embodiment, forged e-mail, e-mails sent fromcompromised computers, and the like, are considered as not being sentfrom the purported source and the delivery of such e-mails to theintended recipients is blocked or otherwise prevented.

In accordance with one aspect of this embodiment, a mail server receivesdata pertaining to at least one e-mail directed to at least one intendedrecipient, wherein the data includes information identifying a purportedsender and a verification host. The data may be included in the e-mailenvelope, header, or body. Optionally, the data may be provided separatefrom the e-mail or any part of the e-mail. The information identifyingthe purported sender may include any one or more of an e-mail address, adomain name, and an IP address. The verification host may be a serverassociated with the purported sender or a third party server authorizedby the purported source.

The mail server then queries the verification host to confirm that theat least one e-mail originates from the purported sender. The queryincludes information identifying at least one e-mail and may include anyone or more of the following: a hash value, a checksum, a digest of thee-mail, an authorization code, and at least a portion of the e-mailenvelope, header or body.

The mail server then receives a response from the verification host thatindicates whether or not the at least one e-mail originates from thepurported sender. The e-mail is determined to originate from a forgedsource unless the response received from the verification host indicatesthat the e-mail originates from the purported sender.

In accordance with one aspect of the embodiment, if no response isreceived from the verification host within a predetermined time periodor a predetermined number of query attempts, the e-mail is treated asoriginating from a forged source. The predetermined time period may beany set time period, ranging from 1 minute to 24 hours and thepredetermined number of query attempts may range from 1 attempt to 100attempts. If no reply is received within the predetermined time periodor number of query attempts, or if the e-mail is returned as a bounce,normal delivery of the original e-mail is prevented. For example, thee-mail may be delivered to a “suspected spam” folder or discardedentirely.

The method may further comprise a step of determining the identity ofhosts authorized to transmit e-mails for the purported sender anddetermining whether the at least one e-mail is being transmitted from anauthorized host. Delivery of the e-mail to the intended recipient may beprevented if the at least one e-mail is not being transmitted from anauthorized host.

In yet another embodiment, a system may be provided for authenticatingthe dispersal of an intended recipient's e-mail address from an addressprovider to a sender. The system comprises a mail server for receivingan e-mail directed to an intended recipient's e-mail address, whereinthe e-mail includes information identifying the sender, the intendedrecipient, and the address provider from which the sender obtained theintended recipient's e-mail address; an authentication server accessibleby the mail server, wherein the authentication server receives andresponds to queries from the mail server; and a database accessible bythe authentication server, wherein the database comprises informationthat permits the authentication server to determine whether the senderis authorized by the address provider to obtain the intended recipient'se-mail address. The address provider that provided the recipient'se-mail address may be identified in any one or more from the groupconsisting of: the e-mail header, subject line, and body.

In an aspect of this embodiment, the database information comprises afirst list of client e-mail addresses associated with the addressprovider, wherein the dispersal of the intended recipient's e-mailaddress from an address provider to a sender is authorized if theintended recipient's e-mail address is on the first list.

In another aspect of this embodiment, the database information comprisesa second list of approved senders associated with the address provider,wherein the dispersal of the intended recipient's e-mail address from anaddress provider to a sender is authorized if the sender is on thesecond list.

In addition, a method is provided for determining whether or not ane-mail originates from the sender listed in the e-mail header; i.e.,determining whether or not the return address information has beenforged. The method comprises receiving an e-mail directed to theintended recipient's e-mail address, wherein the e-mail includesinformation identifying a sender; and submitting a request to the senderrequesting a return confirmation of sending the e-mail to the intendedrecipient's e-mail address. The e-mail is determined to originate from aforged address provider unless the return confirmation is received fromthe sender within a predetermined time period or query attempts.

In an aspect of this embodiment, the information identifying the sendermay be selected from the group consisting of: an IP address associatedwith the sender and an e-mail address associated with the sender.

In another aspect, the request to the listed sender may compriseproviding a hash value or checksum for the e-mail and requesting thatthe sender confirm sending the e-mail with the same hash value orchecksum.

Other objects, features and advantages of the technologies disclosedherein will become apparent to those skilled in the art from thefollowing detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram showing exemplary steps of a method fordetermining whether or not an unsolicited incoming message has beenauthorized by an address provider.

FIG. 2 is a flow diagram showing exemplary steps of a method fordetermining whether or not a listed sender of an incoming message isforged.

FIG. 3 is a block diagram showing an exemplary e-mail authenticationsystem for performing the methods disclosed herein.

Like numerals refer to like parts throughout the several views of thedrawings.

DETAILED DESCRIPTION

A system and method are described herein for determining whether ane-mail originates from a sender who is authorized by an address providerto send the e-mail to an intended recipient's e-mail address. Alsodisclosed herein are a system and method for determining whether ane-mail originates from a forged sender.

Although embodiments will be described herein in the context of certaine-mail standards set forth by the Internet Engineering Task Force(IETF), it is understood that the technology is not restricted to suchstandards. Examples of pertinent Request for Comments (“RFCs”), whichdefine these e-mail standards, include but are not limited to as such asthe Standard for the Format of ARPA Internet Text Messages (RFC822);Internet Message Format (RFC2822); and Simple Mail Transfer Protocol(RFC821/2821). The RFCs that define e-mail standards are available onthe Internet through the IETF web site (www.ietf.org).

An e-mail generally consists of an envelope that represents the SMTPtransaction, a header, and a body containing the actual text of themessage and any attachments. The envelope is used internally by theMessage Transfer Agent (MTA) to route the message. The MTA is the serversoftware used to transfer e-mail over the network. The header includesinformation relating to the transmission of the e-mail, such as Date,From, To, or BCC. Other fields include Subject, CC, Reply-To, Received,Message-Id. The body represents the actual content of the e-mailmessage. The e-mails that are transmitted by an authorized senderinclude information that identifies the sender, the intended recipient,and the address provider from which the sender obtained the intendedrecipient's e-mail address.

A sender may obtain an e-mail address through a variety of methods andsources. The sender may obtain an e-mail address directly from theintended recipient by, for example, enabling users to register theire-mail addresses on a web site that is associated with the e-mailsender. The sender may also obtain e-mail addresses from addressproviders. For example, an address provider may have a feature on itsweb site that allows users to register and provide their e-mailaddresses for future communications regarding that company's products orservices and indicate whether he authorizes the address provider toprovide his e-mail to certain other affiliates. If the user authorizesthe distribution of his e-mail, then these other affiliates may becomeauthorized senders.

FIG. 1 show exemplary steps of a method for determining whether or notan unsolicited incoming message has been authorized by an addressprovider. Although the methods and systems are described as beingperformed by a mail server for the intended recipient, it is understoodthat the methods and systems may also be performed and used inconnection with the mail server for the sender, client-based software,server-based software, network appliances, and third party services.

As depicted in FIG. 1, the mail server receives an e-mail from thenetwork to an intended recipient's e-mail address 100. The mail servermay then determine whether the e-mail identifies the sender and theaddress provider from which the sender obtained the intended recipient'se-mail address 120. The mail server may be configured to distinguishe-mails which identify an address provider from e-mails that are eitherfrom an unrecognized source or do not include information identifying anaddress provider. Generally, if the sender is recognized as an approvedmessage source, it will not be necessary to determine whether or not anaddress provider in identified. For example, if the e-mail clientrecognizes e-mail from joesmith@aol.com as from an approved source, itis not necessary to determine who provided this sender with therecipient's e-mail address. By the same token, if the e-mail comes froman unrecognized source such as sales@acmecorp.com, then it may beadvantageous to determine where this sender obtained the recipient'saddress. Step 100 may, in the alternative or in addition, be performedby a client-side application or by any application operative to processreceived e-mail at any point before it is delivered to a client's localor remote e-mail inbox.

Typically, the sender is identified in the “FROM” or “SENDER” fields inthe e-mail header and the intended recipient is identified in the “TO”,“CC” or “BCC” fields in the e-mail header. The address provider may beidentified in any number of ways in the e-mail.

In accordance with one aspect of the preferred embodiments, the addressprovider may be identified in an additional user-defined field that isadded to the e-mail header. User-defined fields may have names which arenot already in use in any definitions of extension fields, and theoverall syntax of the user-defined fields may conform to the relevantRFC822/2822 specifications. In accordance with another aspect of thepreferred embodiments, the address provider may be identified in thee-mail header, subject line, or body and separated by machine-readablecharacter delimiters so as to permit ready identification of the addressprovider.

If the e-mail includes information identifying the address provider, themail server may contact the address provider or other designatedauthentication server to determine whether the e-mail is, in fact,authorized 130. An address for the authentication server may be includedin the e-mail, or may be elsewhere defined for the mail server or mailclient to whom the e-mail is directed.

In one embodiment, the address provider serves as the authenticationserver for e-mails in which the address provider is identified. Thefirst query may comprise requesting that the authentication serverdetermine whether the intended recipient's e-mail address is found in adatabase of client e-mail addresses that is associated with the addressprovider 140. The second query may consist of requesting that theauthentication server determine whether the sender's e-mail address isfound in a database of approved senders associated with the addressprovider 150. Either or both first and second queries may be performedbefore the authentication server sends its response 160.

In another embodiment, a third party authentication server may be usedto authenticate e-mails in which the address provider is identified,wherein the third party authentication server is associated with theaddress provider and one or more different address providers. Inaccordance with this embodiment, the third party authentication servermaintains separate databases for each address provider. Thus, when athird party authentication server receives a query to authenticate ane-mail, the third party authentication server accesses the appropriatedatabase associated with the address provider identified in the queriede-mail. The database associated with the address provider may comprise alist of client e-mail addresses associated with the address provider, alist of approved senders associated with the address provider, or both.Thus, an e-mail is authenticated if the intended recipient is found onthe list of client e-mail addresses associated with the addressprovider, if the sender is found on the list of approved sendersassociated with the address provider, or both.

If the authentication server communicates a response to the mail serverthat the e-mail is authorized 160, the mail server will then cause thee-mail to be delivered to the intended recipient's e-mail address 170.If the authentication server communicates a response that the e-mail isnot authorized or if the authentication does not respond within apredetermined period of time or query attempts by the mail server 145,the mail server will then take a different action, such as deleting thee-mail, preventing the delivery of the e-mail to the intended recipient,or marking or segregating the e-mail as spam such as by placing it in aspam folder 147.

In the event that the e-mail received by the mail server does notidentify both the sender and the address provider, the mail server maythen subject the e-mail to a conventional spam detector/filter program125. If the e-mail is determined to be spam 128, the e-mail may bediscarded 147. If, however, the e-mail is not determined to be spam, themail server may deliver the e-mail to the intended recipient's e-mailaddress 170. A advantage of the foregoing method is that users mayreceive unsolicited e-mail, such as commercial spam, without beinginundated by unwanted spam from completely unknown and unverifiedsenders. In addition, mail recipients are thereby able to trace thesource of the address provider for accepted spam mail.

FIG. 2 is a flow diagram showing exemplary steps of a method fordetermining whether or not a listed sender of an incoming message isforged. This method may be applied in combination with the method shownin FIG. 1. For example, if a particular sender is approved via themethod of FIG. 1 or otherwise recognized as an approved sender, it maystill be advantageous to determine whether or not the return addressindicated in the e-mail is genuine. The flow diagram depicts a methodfor determining whether an e-mail originates from a forged sender andmay be performed at any point during, after, before, or instead of theexecution of the method depicted in FIG. 1, but before delivering thee-mail to the intended recipient's e-mail address (FIG. 1, 170).

A mail server receives data pertaining to an e-mail directed to anintended recipient 200. This data includes information identifying apurported sender and a verification host. The data may be included inthe e-mail envelope, header, or body. Optionally, the data may beprovided separate from the e-mail or any part of the e-mail. Theinformation identifying the purported sender may be any one or acombination of an e-mail address, a domain name, an IP address, and anyother information which can be traced back to the sender.

The mail server then queries the verification host to determine if thee-mail originates from the purported sender 210. The step of queryingand receiving a response from the verification host may conducted over atwo-way transmission channel, such as Transmission Control Protocol(TCP/IP), User Datagram Protocol (UDP), SCTP, and the like, via atransmission. Other communication modes may include e-mail or any othersynchronous or asynchronous communication method. The query typicallyincludes information identifying the e-mail. This information may havebeen included with the original e-mail, such as an authorization code orat least a portion of the text contained in the envelope, header or bodyof the e-mail. Alternatively, this information may be separatelygenerated by the mail server based on data contained in the e-mail, suchas a hash value or checksum based on the e-mail, or a digest of thee-mail. A hash value or checksum may, for example, be generated based onthe entire e-mail or based on the e-mail message, subject line, or otherfields contained in the e-mail. It should be noted, however, that e-mailheaders are often altered in transmission. Thus, hash values, checksums,and other values generated based on the e-mail would preferably excludethe headers or include only those headers generated up to a certainpoint in the transmission process or in time.

A hash value is obtained by converting e-mail data into a numericalvalue that may serve as a digital “fingerprint” of the e-mail. Afundamental property of all hash functions is that if two hashes(according to the same function) are different, then the two inputs aredifferent in some way. If a hash value is calculated for a piece ofdata, and then one bit of that data is changed, a hash function with astrong mixing property usually produces a completely different hashvalue. Various suitable ways or determining a hash value are known inthe art, and any suitable method may be used.

A checksum is a short piece of data that is added so that the receivercan check to see if the message was distorted during transmission. AnMD5 algorithm may be used to generate a hash value that is used as achecksum. Accordingly, in one embodiment, a server can later perform thesame operation on data, compare the result to the queried checksum, anddetermine whether the e-mail is identical.

Once the verification host receives the query from the mail server, theverification host determines whether the purported sender sent an e-mailhaving the same identifying information 230 and transmits a response tothe mail server. If the verification host finds a match and thusindicates the e-mail originates from the purported sender, then theverification host may transmit a confirmation to the intendedrecipient's mail server that the sender of the e-mail is not forged 240.The intended recipient's mail server then delivers the e-mail to theintended recipient 250. On the other hand, if the verification host doesnot find a match and thus indicates that such an e-mail was not sent232, then the verification host may transmit a confirmation to theintended recipient's mail server that the sender of the e-mail is notfound, optionally indicating that the e-mail may be forged 240. Theintended recipient's mail server may then discard the e-mail orotherwise prevent normal delivery to the intended recipient, such as bymarking it as spam or placing it in a spam folder 234.

In a preferred embodiment, the verification host is a server associatedwith the purported sender or a third party server authorized by thepurported sender. Where the verification host is a third party server,the verification host may provide the sender verification service notonly the purported sender but additionally other entities that wish toinstitute the protections afforded by the disclosed methods againstforged e-mails. The verification host may maintain or analyze sente-mails, and generate a database of identifying information thatuniquely identifies sent e-mails. For example, the verification host maystore identifying information relating to sent e-mails and generate hashvalues or checksums associated with the sent e-mails, the e-mail dateand time, the recipient address, or some combination of the foregoing orother information. Again, because e-mail headers are often altered intransmission, hash values, checksums, and other values generated basedon the e-mail would preferably exclude the headers or include only thoseheaders generated up to a certain point in the transmission process orin time. Thus, when a verification host receives a query from a mailserver, the verification host may determine whether the informationcontained in the query, i.e., the identity of the intended recipient andthe hash value or checksum generated for the e-mail, etc., can bematched up with the information contained in a data table of hash valuesor checksums for sent e-mails.

Optionally, the method disclosed in FIG. 2 may be supplemented with afurther check to determine whether the e-mail was transmitted by hostswhich are authorized to transmit e-mails from the purported sender.Information relating to authorized hosts may be obtained by querying DNSrecords. Once this information is obtained, the mail server maydetermine whether the e-mail is being transmitted from one of theauthorized hosts identified in the DNS records. If the e-mail is notbeing transmitted by an authorized host, the mail server may preventdelivery of the e-mail to the intended recipient.

In accordance with a further aspect of the embodiment, the method may beused to verify a plurality of e-mails in bulk. The plurality of e-mailsmay originate from the same source or from a plurality of sources thatare serviced by the same verification host. Verification for theplurality of e-mails may be requested using a single query. Delivery ofthe plurality of e-mails to the intended recipient may be allowed ifevery one of the plurality of e-mails is not determined to originatefrom a forged source. If the response from the verification hostindicates that the at least one of the plurality of e-mails does notoriginate from the purported sender, then the plurality of e-mails isdivided into a plurality of groups and the verification host may againbe queried to confirm that the e-mails in the plurality of groupsoriginates from the purported senders. Grouping of e-mail verificationin this manner may reduce communication bandwidth required foranti-forgery detection.

Verification may be initiated at some level higher than the ultimateaddressee. For example, verification may be performed by a post officeserver receiving mail for multiple clients. Any mail determined to nothave a genuine sender may be flagged by the post office beforedelivering to the client mailboxes, or simply discarded.

FIG. 3 is a block diagram showing the e-mail authentication system inaccordance with an embodiment of the invention. E-mail messages aretypically composed by an application running on a client machine 300 a.One standard for e-mail formats may be described by RFC 822 or byRFC2822, which are a standard and a proposed standard, respectively,promulgated by IETF. When composition of the message is completed, theuser uploads the completed message to a mail server 302 a. The mailserver 302 a in one embodiment is owned by an Internet Service Provider(ISP) or by a private corporation for whom the user works. The userclient machine 300 a connects to the mail server 302 a via dial-up,digital subscriber loop (DSL), cable Internet, or by other appropriateconnection.

Very commonly, the destination computer 300 b is a basic workstation anddoes not itself include a mail server function. Thus, it cannot fullysupport the Simple Mail Transport Protocol (“SMTP”) message routingprotocol. In these cases, the destination computer periodically queriesits assigned mail server 302 b and retrieves its mail messages from itsmailbox on the mail server. A common protocol used to receive thesemailbox messages from the mail server is the Post Office Protocol,version 3 (POP3). This protocol is defined in RFC1339.

Thus, as depicted in FIG. 3, an e-mail from the e-mail sender 300 a maybe transmitted from the sending mail server 302 a, to the network 310and to the receiving mail server 302 b in accordance with RFC821, or byRFC 2821, which are also a standard and a proposed standard,respectively, of the IETF. The RFC 821 and RFC 2821 documents describethe SMTP, which is the protocol by which e-mail messages have typicallybeen transported over the Internet. Once the e-mail is received by thereceiving mail server 302 b, the e-mail may be evaluated by the serverto determine whether it contains an identification of the sender and/orthe address provider. If the e-mail does not identify a valid sender, orif it identifies a sender but no address provider, then it may bedisposed of as spam, either before or after being further processed by aconventional spam detector/filter program 330. If the e-mail does,however, identify the sender and the address provider, or identifies asender for which no address provider is needed, then the mail server 302b may query an authentication server to determine whether the e-mailoriginates from an authorized sender or whether the return address isgenuine.

The authentication server 320 may have access to a database for cliente-mail addresses and approved senders that are associated with theaddress providers. In one embodiment, the authentication server 320 maybe operated by the address provider. In another embodiment, theauthentication server may be a third party that maintains separatedatabases associated with different address providers. In either ofthese embodiments, the authentication server may be accessed bydirecting a query to the address provider, which may be redirected tothe authentication server. In the alternative, queries may be sentdirectly to the authentication server. The authentication server 320 mayreceive queries from the intended recipient's mail server 302 b, accessthe appropriate database to determine whether an intended recipient'se-mail address is found on the client e-mail addresses or whether asender is identified as an approved sender, and respond to the mailserver 302 b. The e-mail may be delivered to the intended recipient 300b if the authentication server 320 communicates a response to the mailserver 302 b indicating that the e-mail is authorized.

In accordance with another embodiment, an independent determination maybe made before the e-mail is delivered to the intended recipient 300 b.Once an e-mail is determined to originate from an authorized sender, afurther check may be conducted to ensure that the e-mail actuallyoriginates from the authorized sender. Thus, the method outlined in FIG.2 may be conducted to determine whether or not a return address is notgenuine. The mail server 302 b generates a hash value, checksum or otheridentifying information based on the e-mail received from the sender andqueries the mail server 302 a or the sender 300 a requesting a returnconfirmation of sending the e-mail based on the hash value, checksum, orother identifying information. If a confirmation is received by the mailserver 302 b, the e-mail may be sent to the intended recipient 300 b. Ifno response or a negative response is received by the mail server 302 b,then the e-mail may be discarded.

The invention described and claimed herein is not to be limited in scopeby the specific preferred embodiments herein disclosed, since theseembodiments are intended as illustrations of several aspects of theinvention. Any equivalent embodiments are intended to be within thescope of this invention. Indeed, various modifications of the inventionin addition to those shown and described herein will become apparent tothose skilled in the art from the foregoing description. Suchmodifications are also intended to fall within the scope of the appendedclaims.

It is to be understood, however, that the detailed description andspecific examples, while indicating preferred embodiments of the presentinvention, are given by way of illustration and not limitation. Manychanges and modifications within the scope of the present invention maybe made without departing from the spirit thereof, and the inventionincludes all such modifications.

What is claimed is:
 1. A method for determining whether an e-mailoriginates from a sender who is authorized by an address provider tosend the e-mail to an intended recipient's e-mail address, the methodcomprising: using at least one computer to perform the steps of:receiving an e-mail directed to an intended recipient's e-mail address;determining a first identifier encoded in the e-mail identifying asender of the e-mail; determining a second identifier encoded in thee-mail that is distinct from the first identifier and from any e-mailaddress for the recipient, the second identifier identifying an addressprovider distinct from the sender and from the intended recipient as anentity from which the sender obtained the intended recipient's e-mailaddress; in response to determining the second identifier, querying anauthentication server to determine whether the sender is authorized bythe address provider to obtain the intended recipient's e-mail addressused for sending the e-mail to the intended recipient; receiving aresponse from the authentication server; delivering the e-mail to theintended recipient if the response indicates that the sender isauthorized by the address provider to obtain the intended recipient'se-mail address used for sending the e-mail to the intended recipient;and preventing normal delivery of the e-mail to the intended recipientif the response indicates that the sender is not authorized by theaddress provider to obtain the intended recipient's e-mail address usedfor sending the e-mail to the intended recipient.
 2. The method of claim1, wherein the address provider is identified in an e-mail header,subject line, or body.
 3. The method of claim 2, wherein the addressprovider is identified in a user-defined field.
 4. The method of claim2, wherein the address provider is separated by at least onemachine-readable character delimiter.
 5. The method of claim 1, whereinthe e-mail further comprises an IP address associated with theauthentication server.
 6. The method of claim 5, wherein theauthentication server is provided by the address provider.
 7. The methodof claim 5, wherein the authentication server is provided by a thirdparty that is associated with the address provider and one or moredifferent address providers.
 8. The method of claim 1, wherein theauthentication server accesses a database comprising a first list ofclient e-mail addresses associated with the address provider or a secondlist of approved senders associated with the address provider.
 9. Themethod of claim 8, wherein the step of querying the authenticationserver comprises determining whether the intended recipient's e-mailaddress is on the first list of client e-mail addresses.
 10. The methodof claim 9, wherein the response received from the authentication serverindicates that the sender is an authorized sender if the intendedrecipient's e-mail address is on the first list of client e-mailaddresses and wherein the response received from the authenticationserver indicates that the sender is not an authorized sender if theintended recipient's e-mail address is not on the first list of cliente-mail addresses.
 11. The method of claim 8, wherein the step ofquerying the authentication server comprises determining whether thesender is on the second list of approved senders.
 12. The method ofclaim 11, wherein the response received from the authentication serverindicates that the sender is an authorized sender if the sender isidentified on the second list of approved senders and wherein theresponse received from the authentication server indicates that thesender is not an authorized sender if the sender is not identified onthe second list of approved senders.
 13. The method of claim 1, whereinpreventing normal delivery of the e-mail to the intended recipientfurther comprises an action selected from the group consisting of:discarding the e-mail, marking the e-mail as spam, and segregating thee-mail with spam.
 14. The method of claim 1 further comprisingconfirming that the e-mail originates from the sender identified in thee-mail before the step of delivering the e-mail.
 15. The method of claim14, wherein the sender is identified by an IP address and whereinconfirming step is performed by sending a query to the sender's IPaddress requesting a confirmation that the sender sent the e-mail. 16.The method of claim 15, wherein the query comprises providing a hashvalue for the e-mail and requesting that the sender confirm sending thee-mail based on the hash value.
 17. The method of claim 16, wherein thestep of taking a different action is performed if the sender does notconfirm sending the e-mail within a predetermined time period or apredetermined number of query attempts to the sender's IP address.
 18. Asystem for authenticating the dispersal of an intended recipient'se-mail address from an address provider to a sender, the systemcomprising: a mail server, comprising at least one computer, configuredfor receiving an e-mail directed to an intended recipient's e-mailaddress, determining a first identifier encoded in the e-mailidentifying a sender of the e-mail, determining a second identifierencoded in the e-mail that is distinct from the first identifier andfrom any e-mail address for the recipient, and using the secondidentifier to identify an address provider distinct from the sender andfrom the intended recipient as an entity from which the sender obtainedthe intended recipient's e-mail address; an authentication server,comprising at least one computer, accessible by the mail server, whereinthe authentication server receives and responds to queries from the mailserver; and a database accessible by the authentication server, whereinthe database comprises information that permits the authenticationserver to determine whether the sender is authorized by the addressprovider to obtain the intended recipient's e-mail address used forsending e-mail to the intended recipient's e-mail address.
 19. Thesystem of claim 18, wherein the address provider is identified in anyone or more from the group consisting of: the e-mail header, subjectline, and body.
 20. The method of claim 19, wherein the address provideris identified in a user-defined field.
 21. The system of claim 19,wherein the address provider is separated by at least onemachine-readable character delimiter.
 22. The system of claim 18,wherein the e-mail further comprises an IP address associated with theauthentication server.
 23. The system of claim 22, wherein theauthentication server is provided by the address provider.
 24. Thesystem of claim 22, wherein the authentication server is provided by athird party that is associated with the address provider and one or moredifferent address providers.
 25. The system of claim 18, wherein thedatabase comprises a first list of client e-mail addresses associatedwith the address provider and a second list of approved sendersassociated with the address provider.
 26. The system of claim 25,wherein the sender is authorized by the address provider to obtain theintended recipient's e-mail address if the intended recipient's e-mailaddress is on the first list of client e-mail addresses.
 27. The systemof claim 25, where the sender is authorized by the address provider toobtain the intended recipient's e-mail address if the sender is on thesecond list of approved senders.